xo.com

EVOLVING SECURITY5 REASONS TO OUTSOURCE NETWORKSECURITY MANAGEMENT IN TODAY’STHREAT ENVIRONMENT

Contents

Introduction 3

Network Security is More Complex Than Ever 4

Costs from Attacks are Increasing 5

The Need for a Collaborative Approach 5

1. Greater centralization of network security controls and policies 6

2. Deeper and broader coverage 7

3. Experience and competence 7

4. Increased responsiveness 8

5. Cost savings (operational and opportunity) 8

The Cost Implications of Network Security Attacks 9

Conclusion 10

About XO Communications 11

About XO Hosted Security 11

About StillSecure 11

Evolving Security 5 Reasons to Outsource Network Security Management in Today’s Threat Environment

2 Solutions you want. Support you need.

3

XO Communications

Introduction

This white paper describes the reasons why companies outsource security management in

today’s threat environment. It includes an assessment of the overall threat landscape, and

reviews five key benefits of outsourcing.

Expanding use of Web 2.0 and Internet-based business applications creates new chal-

lenges for businesses that need to keep malicious security breaches from entering their

company networks. Next-generation security threats, including Advanced Persistent

Threats, are menacing and increasingly difficult to detect. A single data breach could have

potentially devastating direct and indirect consequences such as fines, penalties or law-

suits arising from a company’s failure to protect its private and personal customer informa-

tion according to industry standards. Security breaches also can result in huge financial

losses and lost revenue as a result of operational downtime, customer turnover, and dam-

age to credibility and reputation.

Many businesses no longer possess the in-house expertise or the resources to moni-

tor, detect or mitigate today’s sophisticated security threats from entering their networks.

Outsourcing network security management to a ‘Security-as-a-Service’ or cloud-based

delivery provider has become an attractive option for enterprises that need company-wide

visibility of their Internet security gateways, Unified Threat Management, 24x7x365 moni-

toring and management, and a stronger knowledge base of security best practices across

a broad range of industries. Besides centralizing security controls and policies across the

network, the cloud-delivery model of a ‘Security-as-a-Service” eliminates the need to buy

and manage premise-based security devices at individual locations. Security-as-a-Service

offerings that provide “clean pipes” capabilities help prevent unwanted or malicious traf-

fic from entering the network through the Internet or data “pipe”, and permit legitimate or

“clean” data traffic to get delivered across the network more efficiently.

Many businesses no longer possess the in-house expertise or the resources to monitor, detect or mitigate today’s sophisticated security threats from entering their networks.

4 Solutions you want. Support you need.

Evolving Security

Network Security is More Complex Than Ever

News stories about high-profile brands being compromised by network security breaches

are widespread. Because of the growing security threats, information security officers at

U.S. businesses are more concerned than ever about security risks. In a survey of more

than 2,000 small-to-medium business and enterprise security decision makers, the majority

of respondents listed data security (88%) and managing vulnerabilities and threats (84%)

among their top priorities.1

Sobering reports of network security threats are a constant reminder that the threat land-

scape has changed and become very complex. One security threat report predicted that

cumulative, unique malware samples will have surpassed 75 million by year-end 2011.2

What’s behind this surge in malware?

A key factor is that hackers can more easily acquire software that they need to inflict dam-

age. For example, exploits can be bought and sold on the black market for a few hundred

dollars. The code for malware and worms is readily available over the internet for dupli-

cation and manipulation. The code for the Stuxnet worm, one of the most sophisticated

worms ever discovered, was effectively open sourced with point-and-click accessibility. As

malware advances, it’s easier than ever for criminals to use it to inflict harm.

In addition, there are new avenues that hackers can use to gain access to an enterprise

network—particularly from social media, virtualized servers, cloud computing applications,

wireless networking and smart phone applications.

1 Forrester Research, Inc., Security Futures: Selected Results from Forrsights Security Survey Q3 2010, presen-tation, September 23, 2010, slide 10.

2 McAfee Labs, McAfee Threats Report: Third Quarter 2011, page 6

Sobering reports of network security threats are a constant reminder that the threat landscape has changed and become very complex.

5

XO Communications

Attacks Grow in Number and Sophistication

One cyber-security watch

survey of 600 organizations

found that:

• 81% of respondents’ organi-zations experienced a secu-rity event between the survey period of August 2009 and July 2010, compared to 60% the year before

• Of the companies that expe-rienced an attack, 28% of respondents saw an increase in the number of attacks

• Cyber attacks from foreign entities doubled to 10% from 2009 to 20106

Costs From Attacks are Increasing

Costs associated with corporate network attacks are severe and growing.

According to one security industry study, the cost of a data breach rose for five

consecutive years from 2006 through 2010.3 Clean up costs that resulted from

damaging data breaches among the surveyed companies increased to $7.2 million

and cost an average of $214 per compromised record.4 In another security threat

report that surveyed 50 corporations, malicious code, Denial of Service, and web-

based attacks were cited as the most costly types of threats for businesses.5

Unfortunately, IT budgets are struggling to keep up with the rise in costs to

clean up after security breaches. While a sluggish economic recovery has put

downward pressure on security budgets, new and evolving technologies provide

corporate spies, cyber warriors, and other hackers with new avenues with which

to exploit network vulnerabilities. As a result, Chief Security Officers (CSOs) and

Chief Information Security Officers (CISOs) face the nearly impossible challenge

of having to strengthen network defenses within significant budgetary constraints.

The Need for a Collaborative Approach

As information security risks soar, it’s become harder for security professionals

to dedicate the time and resources to everyday monitoring, management and

responses that are necessary to combat the increased risks. As a result, many

companies are selecting service providers to help them improve preparedness in

the most cost-efficient manner, thereby freeing up in-house staff for other activi-

ties, such as strategic planning and management.

Why do enterprises hire a third party to manage network security? One survey of

1,400 small-to-medium business and enterprise security decision makers identi-

fied the top motives. Respondents indicated said that it was important to them to

improve the quality of protection, gain 24x7 coverage, reduce cost, gain greater

competency or specialized skills, and to reduce complexity.7

3 Ponemon Institute LLC, 2010 Annual Study: U.S. Cost of a Data Breach, April 10, 2010; Overall Trends, page 5.

4 Ponemon Institute LLC, 2010 Annual Study: U.S. Cost of a Data Breach, April 10, 2010, Overall Trends, page 5.

5 Ponemon Institute, LLC, Second Annu al Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, August 2, 2011, Page 2.

6 Software Engineering Institute CERT Program at Carnegie Mellon, Press release, “2011 Cybersecurity Watch Survey: Organizations Need More Skilled Cyber Professionals to Stay Secure” January 31, 2011, pages 1-2; survey by CSO, the U.S. Secret Service, the Software Engineering Institute CERT Program at Carnegie Mellon University, and Deloitte.

7 Forrester Research, Inc., Security Futures: Selected Results from Forrsights Security Survey Q3 2010, presentation, September 23, 2010, slide 10.

6 Solutions you want. Support you need.

Evolving Security

“Undeniably more businesses value the benefits of outsourcing their security management

to a service provider to deploy a more layered defense strategy across the entire network.

Outsourcing helps companies simplify their infrastructure and costs, and also frees up their

time to devote to core security functions such as strategic planning, governance and risk

management, and regulatory compliance reporting responsibilities.

The biggest benefits of outsourcing are greater centralization of network security controls

and policies, deeper and broader coverage of security threat intelligence from experienced

network security professionals, increased responsiveness, and considerable cost savings.

Following is a more detailed look at these five core benefits.

Benefits of outsourcing

1. Greater centralization of network security controls and policies

Businesses with multiple locations, flat IT management structures, and fragmented

approaches to security make easy targets for hackers. Enterprises that lack a cohesive

security strategy and uniform, top-down security implementation open up vulnerabilities,

often at network endpoints. When company-wide security policies and rules aren’t con-

sistently updated on a centralized network firewall, problems can arise that can jeopardize

the security of the entire network. In addition, if companies with Managed Security at the

customer premise of an individual location fail to update the premise-based firewall at that

location, it could open the door for hackers to gain access, which compromises the net-

work. Security leaders who recognize these vulnerabilities increasingly turn to the Security-

as-a-Service model, which centralizes and standardizes network security controls and

policies across the organization. By definition, Security-as-a-Service models are typically

delivered virtually using a cloud-based delivery model and may be referred to as network-

based services. Beyond the benefits of centralization, the virtualized, cloud-based delivery

model eliminates the need to buy and manage premise-based, security devices and appli-

ances, and manage software updates at each location.

Many organizations don’t have the tools and in-house expertise to detect these threats, so attacks and security breaches go unnoticed.8

8 Gartner Research, Inc., Network Security Monitoring Tools for ‘Lean Forward’ Security Programs. February 1, 2011.

”- Gartner Research, Inc.

7

XO Communications

2. Deeper and broader coverage

By outsourcing network security management, businesses are able to significantly improve

network security with proactive, 24x7x365 monitoring and alerting —without having to

recruit, train, and manage additional internal IT staff. Many security service providers offer

SSAE 16- audited Security Operations Centers that are staffed with professional analysts

who have access to hundreds of security feeds, including those from the U.S. Computer

Emergency Readiness Team (CERT), the FBI, and major software providers such as

Microsoft®. When threats are identified, analysts are able to block attack pathways and

send appropriate notifications. Since security analysts are monitoring around the clock,

threats are addressed strategically—before or as they happen, in real time, and not just

during business hours.

3. Experience and competence

Businesses that choose to hire a third party to manage their network security benefit from

an immediate boost in quality as well as quantity of coverage. That’s largely because

Security-as-a-Service providers focus exclusively on the detection, prevention and neu-

tralization of network threats. In-house security and IT staff, tasked with a wide range of

responsibilities, typically cannot focus purely on information security. Many in-house secu-

rity teams don’t have the same depth of knowledge that comes with specialization or the

same degree of expertise in network analysis as a Security-as-a-Service provider.

In a Global State of Information Security Survey of more than 12,800 executives in busi-

nesses of 135 countries, 59% of respondents said that having an increased reliance on

managed security services was important; and 43% said that economic realities caused

them to reduce the number of security personnel.9

9 “Respected but still restrained: Findings from the 2011 Global State of Information Security Survey, by PriceWaterhouseCoopers, CIO magazine and CSO magazine, published September 15, 2011, page 17.

Businesses that choose to hire a third party to manage their network security benefit from an immediate boost in quality as well as quantity of coverage.

8 Solutions you want. Support you need.

Evolving Security

4. Increased responsiveness

With a singular focus on network threats, network security service providers offer a level of

readiness that gives clients a considerable edge in terms of preparedness and overall miti-

gation of risk. With daily access to hundreds of industry security alert feeds, Security-as-

a-Service providers have an up-to-the-minute awareness of existing and potential threats,

often far sooner than an in-house security team.

5. Cost savings (operational and opportunity)

Outsourcing network security management can be an ideal solution for many enterprises,

given today’s rising security threat environment and stagnant security budgets. Some

businesses whose industry compliance regulations are so complex that they require highly

specialized in-house expertise and certified professional security professionals may prefer

to keep network security in-house. Yet for many other businesses, the Security-as-a-

Service model lowers operational and capital expenses by reducing the need to hire, train

and manage additional security staff, as well as the costs associated with location-based

customer support, security appliances and software patch updates.

There are other savings as well. Blocking unwanted traffic on a company network frees up

bandwidth that can be shared with other locations on the network, thereby helping com-

panies save on Internet costs. In this way, enterprises can ensure strong network security

without degrading the availability or performance of their corporate network.

In addition, the outsourced security model eases many information security officers’ con-

cerns over control. Chief Information Security Officers (CISOs) and other decision makers

realize the distinction between network security execution and control—and that outsourc-

ing doesn’t mean that a company relinquishes control of security policies. On the contrary,

even with an outsourced network security component, enterprises still set the rules that

govern their security policies. In turn, service providers implement the management of

these policies based on custom requirements. Leading security service providers collabo-

rate closely with their clients to design, implement, and manage network security that’s

appropriate for each business. In addition, security policies often need to be adjusted

several times a day as new threats develop. A service provider can help the organization

put the rules into place and monitor threats accordingly.

Outsourcing network security management can be an ideal solution for many organizations, given today’s rising security threat environment and stagnant security budgets.

9

XO Communications

10 Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page 2.

11 Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page 2.

12 Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page 2.

The Cost Implications of Network Security Attacks

The longer it takes to clean up after a network security attack, the greater the financial

impact. According to one 2010 study, it took companies an average of 14 days and an

average of $247,744 to clean up after an attack.10 A year later, respondents to the 2011

study report that it takes them an average of 18 days and an average of $417,748 to clean

up after an attack.11 The study also found that 40% of the external costs to an organization

for cyber crime were attributed to information theft, and that 28% were due to business

disruption and lost productivity.12 Many IT departments, particularly those whose fund-

ing is tied to corporate profits, either cannot currently afford or cannot count on having

the resources to pay for dedicated analysts to monitor their systems 24x7. Without expert

around-the-clock coverage, these organizations tempt a costly fate.

18 daysCost of a Network attack

per day, according to one

industry survey.

The average length of time

it took to clean up after an

attack in 2011, according

to respondents of a bench-

mark survey, compared

with 14 days in 2010.

of the external costs to

an organization for cyber

crime were attributed

to information theft,

according to one industry

research study.

$23,200 40%

10 Solutions you want. Support you need.

Evolving Security

Conclusion

According to Gartner, Inc, a leading information technology research and advisory com-

pany, “the cost of mitigating a data breach is likely to be vastly greater than the cost of

preventing the breach beforehand—perhaps by a 70-to-1 margin in 2011.” 13

High profile attacks against government agencies and large corporations make us all

cognizant of the threat potential from hackers and cyber anarchists. These episodes have

prompted new and expanding regulatory frameworks that, paradoxically, have increased

the strain on in-house security resources. This all comes at a time when economic pres-

sures and uncertainties strain even the most competent information security professionals

at U.S. enterprises. Fortunately, the benefits of an outsourced Security-as-a-Service model

help resolve these issues with greater centralization; greater depth and breadth of cover-

age; greater experience and competence; increased responsiveness; and greater cost

efficiency than traditional, premise-based approaches at individual sites.

13 Gartner Research, Gartner Predicts 2011: Infrastructure Protection is Becoming More Complex, More Difficult and More Business-Critical than Ever, November 16, 2010.

The benefits of outsourcing: greater centralization, greater depth and breadth of coverage, greater experience and competence, increased responsiveness, and greater cost efficiency reduce the strain on information security professionals at U.S.-based businesses.

XO Communications

About XO Hosted Security

XO® Hosted Security is a Security-as-a-Service offering that gives companies more flex-

ibility to deploy and manage comprehensive network-based security. The solution provides

high-speed, unified threat management capabilities and advanced technology, and sup-

ports customers 24/7 through a certified security partner, StillSecure. XO Enterprise Cloud

Security includes one or more next-generation network-based firewalls; intrusion detection

and prevention, including Distributed Denial of Service (DDoS) protection; secure web and

content filtering; and secure remote access to the company network. Since all of the secu-

rity applications reside in the cloud, organizations with widely distributed operations can

implement robust security services without having to manage and maintain the equipment

and infrastructure at each location. Hosted Security is fully integrated with the award-

winning XO MPLS IP-VPN intelligent networking service. For more information, visit www.

xo.com/hostedsecurity.

About StillSecure

StillSecure, a technology partner for Hosted Cloud Security, delivers comprehensive

network security that protects organizations from the perimeter to the endpoint. Offering

both products and managed security services, StillSecure enables customers to affordably

deploy the optimal blend of technologies for locking down their assets and

complying with security policies and regulations. StillSecure customers range from mid-

market companies to the world’s largest enterprises and agencies in government,

financial services, healthcare, education, and technology. For more information visit

http://www.stillsecure.com.

Hosted Security is a Security-as-a-Service offering that gives companies more flexibility to deploy and manage comprehensive network-based security.

© Copyright 2012. XO Communications, LLC. All rights reserved. 11

XO, the XO design logo, and all related marks are registered trademarks of XO Communications, LLC.

© Copyright 2012. XO Communications, LLC. All rights reserved. XO, the XO design logo, and all related marks are trademarks of XO Communications, LLC. XONSWP-0412

About XO Communications

XO Communications is a leading nationwide provider of advanced broadband communications

services and solutions for businesses, enterprises, government, carriers and service providers.

Its customers include more than half of the Fortune 500, in addition to leading cable companies,

carriers, content providers and mobile network operators. Utilizing its unique combination of high-

capacity nationwide and metro networks and broadband wireless capabilities, XO Communications

offers customers a broad range of managed voice, data and IP services with proven performance,

scalability and value in more than 85 metropolitan markets across the United States. For more

information, visit www.xo.com.

For XO updates, follow us on: Twitter | Facebook | Linkedin | SlideShare | YouTube | Flickr